It's today really hard to figure out if your SSL connection is actually *using* SSL compression. This got extra hard when we the default value started getting influenced by environment variables at least on many platforms after the crime attacks. ISTM we should be making this easier for the user.
Attached patch adds compression info at least to the header of the psql banner, as that's very non-intrusive. I think this is a small enough change, yet very useful, that we should squeeze it into 9.4 before the next beta. Not sure if it can be qualified enough of a bug to backpatch further than that though. As far as my research shows, the function SSL_get_current_compression() which it uses was added in OpenSSL 0.9.6, which is a long time ago (stopped being maintained in 2004). AFAICT even RHEL *3* shipped with 0.9.7. So I think we can safely rely on it, especially since we only check for whether it returns NULL or not. Comments? -- Magnus Hagander Me: http://www.hagander.net/ Work: http://www.redpill-linpro.com/
diff --git a/src/bin/psql/command.c b/src/bin/psql/command.c index cede72a..b8a8e35 100644 --- a/src/bin/psql/command.c +++ b/src/bin/psql/command.c @@ -1800,8 +1800,9 @@ printSSLInfo(void) return; /* no SSL */ SSL_get_cipher_bits(ssl, &sslbits); - printf(_("SSL connection (protocol: %s, cipher: %s, bits: %d)\n"), - SSL_get_version(ssl), SSL_get_cipher(ssl), sslbits); + printf(_("SSL connection (protocol: %s, cipher: %s, bits: %d, compression: %s)\n"), + SSL_get_version(ssl), SSL_get_cipher(ssl), sslbits, + SSL_get_current_compression(ssl) ? gettext_noop("yes") : gettext_noop("no")); #else /*
-- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers